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Assurances as to the identity of the decrypter, i.e. the recipient, are just as 
necessary as those associated with the encrypter. To address this it is known to 
employ the services of a trusted third party (TTP) or certificate authority. The 
role of the TTP is to certify to either or both parties that the other is who they 
purport to be. Certification links a particular key with the identity of a party. 
Clearly, the security of the TTP is vital to its standing as an issuer of 
certificates. 



The certificate typically includes identification data as well as identification of 
10 the certification authority and the duration for which the certificate is valid. A 
so-called distinguished name provides authentication of an identity linked to a 
specific capacity, e.g. rank in an organisational hierarchy. This can be used in 
addition to the certificate associated with the transacting site. 

15 Encryption software enables users to communicate securely by encry pting files 
and attaching them to electronic mail (e-mail) messages. The files cannot be 
read by anybody other than the intended recipient of proven identity. 

There is a need for an electronic equivalent of the recorded and registered postal 
20 systems. In many instances, it is necessary for the sender of mail at least to 
have verification that it has been received by the authorised recipient (proof of 
deliver} ). A recorded postal letter is signed for by the recipient when it is 
handed over by the deliverer. A registered postal letter is tracked through the 
postal system and logged as having passed various points up to delivery. 

25 

In an e-mail system the verification of delivery- is not necessarily assured 
because either the acknowledgement software of the recipient may be disabled 
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or the recipient is posing as the intended recipient fraudulently. E-mail is not 
inherently secure. Thus, security of an e-mail message depends entirely upon 
encryption of the message and the encryption system remaining 
uncompromised. 

5 

It has been proposed that recorded e-mail delivery can be effected by using an 
encryption system by which an encrypted message is transferred to, and held 
by, a central point associated with a TTP for onward delivery to an 
authenticated user. The message is stored at the TTP until it is requested by the 

10 intended recipient in response to notification that the message is waiting. 
However, it has been found that there is a practical limit on the amount of 
information the TTP can store. Thus, the system is dependent upon the storage 
capacity of the TTP. Furthermore, not only the encryption system but the 
message itself has to conform to the TTP's reception transmission system both 

15 in terms of format and transmission medium. 

According to the present invention there is provided a data transfer system 
comprising: a sender facility; a receiver facility and a key facility; the sender 
facility having means for encrypting data for the intended recipient* means for 

20 splitting the data into encry pted parts such that no part is decrypted on its own, 
means for encrypting at least one of the parts for a third party to produce a 
further encrypted part, means for combining the further encrypted part and the 
remaining encrypted pan to produce a data block and means for sending the 
data block, the receiver facility having means for receiving the data block, 

25 means for requesting decryption of the further encrypted part by the key facility 
which has means for decrypting the further encrypted part and means for 
sending it to the receiver facility and the receiver facility also having means for 
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PKCS#7 mode. The Entrust security system has various architecture 
components. The security is based on a choice of symmetric key algorithm, 
including the Data Encryption Standard (DES) ; Triple DES and CAST; 
asymmetric or public key algorithms, such a RSA, DSA and DIFFIE 
HELLMAN: and hashing algorithms such as SHA-K MD2 and MD5. These 
are only examples of key systems. Other key systems will be known to the 
skilled person which could be used to equal effect. The receiver and TTP sites 
are similarly provided with Entrust System components configured to receive 
and decrypt data sent by the sender as described below. 

Referring to Figure 4a, at the sender site 10 the plain text message P/T is both 
encrypted with the public key for the recipient or a group of recipients and 
signed by the PEM method using the sender's private key. The 'header' part of 
the message is split off, i.e. in the standard PEM format that part from 

" BEGIN PRIVACY-ENHANCED MESSAGE " to the terminating empty 

line. This is referred to as the i; inner header" 22. The remainder is the 
"encrypted text" 20. 

Referring to Figure 4b), still at the sender site 10, the inner header 22 is further 
encrypted and signed by the PEM method using the public key of the third party 
only. This produces an "encrypted header' 24 and an "outer header* 26. The 
encrypted text 20. encrypted inner header 24 and outer header 26 are combined 
and digitally signed (signature 27). The Message Integrity Check (MIC) field 
of the Outer Header 26 is a convenient unique identifier as it is a hash of the 
inner header 22 which, in turn, contains a hash of the plaintext; so the outer 
header MIC is dependent on the contents of the plaintext. Also, the inner 
header varies even when the same plaintext is used as the symmetric key is 
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chosen at random on each occasion. 

The encrypted text 20, encrypted inner header 24, the outer header 26 and 
signature 27 are sent as a multi-purpose internet mail extension (MIME) within 
5 an e-mail message to form a message package. The unencrypted body cf the 
message itself is an explanation of the sent data and instructions to the recipient 
on how to obtain software to decrypt the MIME inclusion. 

The sender (and recipient) software for preparing the encrypted data comprises 
10 Microsoft Exchange or Outlook management software as well as the new plug- 
in interface. The preparation of the message is Windows-based, providing a 
tool bar button to click on if the service is required for encrypting e-mail 
transmission. 

15 This embodiment of the invention is a form of e-mail recorded delivery. Thus, 
the prepared secure message is sent by the SMTP connection to the receiver site 
directly. At the same time an alerting message may be sent from the sender site 
to the TTP. Upon receipt of the e-mail message package the recipient is 
presented with the open e-mail message containing the instructions, the cipher 

20 text, the encrypted header, the outer header intended for the TTP. The 
recipient's software extracts the inner and outer headers, signs them as one 
block using PEM or PKCS#7 and transmits them to the TTP using TCP/IP. 
Thus, the receiver site is instructed by the open e-mail message to send at least 
the encrypted header 24 and the outer header 26 to the TTP, as indicated in 

25 Figure 4c. as a request for decryption of the encrypted header. 

At the TTP the signature is checked. This process reveals the identity of the 
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CLAIMS: 

1 . A data transfer system comprising: a sender facility; a receiver facility 
and a key facility; the sender facility having means for encrypting data for the 

5 intended recipient, means for splitting the data into encrypted parts such that no 
part is decryptable on its own, means for encrypting at least one of the parts for 
a third party to produce a further encrypted part, means for combining the 
further encrypted part and the remaining encrypted part to produce a data block 
and means for sending the data block, the receiver facility having means for 
10 receiving the data block, means for requesting decryption of the further 
encrypted part by the key facility which has means for decrypting the further 
encrypted part and means for sending it to the receiver facility and the receiver 
facility also having means for decrypting the encrypted part and the decrypted 
further encrypted part provided by the key facility. 

15 

2. A system as claimed in claim 1 in which the sender facility includes 
means for signing the data block. 

3. A system as claimed in claim 1 or 2 in which the means for sending at 
20 the sender facility are arranged to send the data block to the key facility and the 

key facility includes means for receiving the data block and forwarding the said 
block to the receiver facility. 



25 



4. A system as claimed in claim 3 in which the key facility further includes 
means for logging receipt of the data block. 
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5. A system as claimed in claim 1 or 2 in which the means for sending at 
the sender facility are arranged to send the data block to the receiver facility and 
the receiver facility includes means for receiving the data block. 

6. A system as claimed in claim 5 in which the key facility further includes 
means for logging receipt of the further encrypted part. 

7. A system as claimed in any of claims 1 to 6 in which the key facility 
includes means for logging receipt of the request for decryption of the further 
encrypted part as proof of delivery of the block to the receiver facility. 

8. A system as claimed in claim 7 in which the sender facility includes 
means for requesting proof of delivery information from the key facility. 
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FIG. 2 

SECURE COURIER WITH POST MARKING 

KEY: 



SMTP CONNECTION 




1: MESSAGE SENT FROM POST OFFICE 

2: POST OFFICE RETURNS PROOF-OF-SUBMISSION 

3: POST OFFICE DELIVERS MESSAGE 

4: RECIPIENT REQUESTS THE KEY TO DECIPHER THE MESSAGE 
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FIG. 3 

SECURE COURIER WITHOUT POST MARKING 

KEY: 



SMTP CONNECTION 




1: MESSAGE SENT FROM ORIGINATOR TO RECIPIENT 

2: RECIPIENT REQUESTS THE KEY TO DECIPHER THE MESSAGE 

3: POST OFFICE LOGS THE REQUEST AND RETURNS THE KEY 

4: ORIGINATOR QUERIES THE STATUS OF THE MESSAGE 

5: POST OFFICE RETURNS RESPONSE TO THE ORIGINATORS' QUERY 
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